“Catching” People Doing The Right Thing

“Catching” People Doing The Right Thing

What if we put some effort into incentivizing security behaviors in an overt way?

In some situations, could the work of infosec leadership be more about reinforcing positive behavior than correcting behavior that falls short?

Is that even possible to do in a way that doesn’t seem like intrusive surveillance, or feels creepy?

Some years ago business writers explored the concept of incentivizing behaviors through “catching” employees doing the right thing.

One writer suggested:

☑️​ Brainstorming the behaviors the organization wants to see more of.

☑️​ Writing the specific behaviors down on pieces of paper.

☑️​ Putting them all into a bowl or hat.

☑️​ Pulling one behavior out of the bowl/hat once each day.

During the day, business managers would look for employees doing the “right thing,” and make a point of calling out their good behavior.

Is there some way to do this with typical consumers that would move the needle in the right direction?

Perhaps at the point of signing in to a website, we could celebrate with users their strong password, or their use of MFA to log in, or . . . any other security behavior we want to encourage?

Is it possible to do this in a way that doesn’t feel like they’re being watched too closely?

This article from Harvard Business Review details putting these concepts to work at a large bank using stickers, and a Canadian law enforcement organization issuing “positive tickets.”

Just sitting here wondering if there’s a way to incorporate this into helping ordinary consumers become more safe online.

Have you noticed anything along these lines that worked well? Or that failed?

Harvard Business Review: https://hbr.org/2012/10/catch-people-in-the-act-of-doing-things-right

— Anthony Collette 

Scroll to Top